OpenID Connect integration doesn't work with Gitlab

[BBBSnowball]

Description

Gitlab doesn't return the username with the ID token: "Only the sub and sub_legacy claims are included in the ID token, all other claims are available from the /oauth/userinfo endpoint used by OIDC clients.", see its documentation.

Synapse can use the userinfo endpoint to query that information but it doesn't do so when the "openid" scope is used (which is required to permit access to the userinfo endpoint in Gitlab). In fact, a comment in the code already considers making this configurable. This patch does that. This makes it work for me. Is this the correct way to patch that? Should I open a PR with the patch?

Steps to reproduce

• Configure OpenID Connect with Gitlab, i.e. Synapse is the relying party, Gitlab is the Authorization Server.
• I have used this mapping for the username: localpart_template: "{{ user.nickname }}"
• Try to login.
• Login fails because localpart is empty.

Version information

I'm running 1.14.0 (on NixOS) but the relevant code is the same in the develop branch.

[richvdh]

The documentation suggests you set scopes: ["read:user"]. Have you tried that?

[BBBSnowball]

Good idea. That documentation is about Github but they are similar in other aspects. No luck in this case, though. I get the following message from Gitlab after clicking the login button in Riot: The requested scope is invalid, unknown, or malformed.

Gitlab does support a read_user scope (see here):

• With scope "read_user": Synapse tries to query the userinfo endpoint. Gitlab doesn't allow that because the "openid" scope hasn't been requested. Result: synapse.http.client: [GET-4] Received response to GET https://git.c3pb.de/oauth/userinfo: 403 (in log) and 403: b'Forbidden' (in browser).
• With scopes "read_user" and "openid": Synapse does not query userinfo because "openid" scope is requested. Log: [GET-4] Extracting userinfo from id_token and synapse.handlers.oidc_handler.MappingException: localpart is empty.
• Gitlab also has a scope "profile" ("Grants read-only access to the user's profile data using OpenID Connect."). This doesn't seem to make any difference: ["read_user", "profile"] and ["read_user", "openid", "profile"] yield the same result as without profile.
• These are the only scopes that are related to OpenID Connect or reading user info.

[richvdh]

right, sorry, I'd missed that you were using gitlab rather than github. In that case I'd suggest you put up a PR for your changes and we can discuss it further. You might find it helpful to read through https://github.com/matrix-org/synapse/blob/develop/CONTRIBUTING.md first (particularly the bits about the format for the sample config file).